blacklistd.conf(5)
- NetBSD Manual Pages
BLACKLISTD.CONF(5) NetBSD File Formats Manual BLACKLISTD.CONF(5)
NAME
blacklistd.conf -- configuration file format for blacklistd
DESCRIPTION
The blacklistd.conf files contains configuration lines for blacklistd(8).
It contains one entry per line, and is similar to inetd.conf(5). There
must be an entry for each field of the configuration file, with entries
for each field separated by a tab or a space. Comments are denoted by a
``#'' at the beginning of a line.
There are two kinds of configuration lines, local and remote. By
default, configuration lines are local, i.e. the address specified refers
to the addresses on the local machine. To switch to between local and
remote configuration lines you can specify the stanzas: ``[local]'' and
``[remote]''.
On local and remote lines ``*'' means use the default, or wildcard match.
In addition, for remote lines ``='' means use the values from the matched
local configuration line.
The first four fields, location, type, proto, and owner are used to match
the local or remote addresses, whereas the last 3 fields name, nfail, and
disable are used to modify the filtering action.
The first field denotes the location as an address, mask, and port. The
syntax for the location is:
[<address>|<interface>][/<mask>][:<port>]
The address can be an IPv4 address in numeric format, an IPv6 address in
numeric format and enclosed by square brackets, or an interface name.
Mask modifiers are not allowed on interfaces because interfaces have mul-
tiple address in different protocols where the mask has a different size.
The mask is always numeric, but the port can be either numeric or sym-
bolic.
The second field is the socket type: stream, dgram, or numeric. The
third field is the prococol: tcp, udp, tcp6, udp6, or numeric. The
fourth file is the effective user (owner) of the daemon process reporting
the event, either as a username or a userid.
The rest of the fields are controlling the behavior of the filter.
The name field, is the name of the packet filter rule to be used. If the
name starts with a ``-'', then the default rulename is prepended to the
given name. If the name contains a ``/'', the remaining portion of the
name is interpreted as the mask to be applied to the address specified in
the rule, so one can block whole subnets for a single rule violation.
The nfail field contains the number of failed attempts before access is
blocked, defaulting to ``*'' meaning never, and the last field disable
specifies the amount of time since the last access that the blocking rule
should be active, defaulting to ``*'' meaning forever. The default unit
for disable is seconds, but one can specify suffixes for different units,
such as ``m'' for minutes ``h'' for hours and ``d'' for days.
Matching is done first by checking the local rules one by one, from the
most specific to the least specific. If a match is found, then the
remote rules are applied, and if a match is found the name, nfail, and
disable fields can be altered by the remote rule that matched.
The remote rules can be used for whitelisting specific addresses, chang-
ing the mask size, or the rule that the packet filter uses, the number of
failed attempts, or the blocked duration.
FILES
/etc/blacklistd.conf Configuration file.
EXAMPLES
# Block ssh, after 3 attempts for 6 hours on the bnx0 interface
[local]
# location type proto owner name nfail duration
bnx0:ssh * * * * 3 6h
[remote]
# Never block 1.2.3.4
1.2.3.4:ssh * * * * * *
# For addresses coming from 8.8.0.0/16 block class C networks instead
# individual hosts, but keep the rest of the blocking parameters the same.
8.8.0.0/16:ssh * * * /24 = =
SEE ALSO
blacklistctl(8), blacklistd(8)
HISTORY
blacklistd.conf appeared in NetBSD 7.
AUTHORS
Christos Zoulas
NetBSD 7.0 April 29, 2015 NetBSD 7.0
Powered by man-cgi (2021-06-01).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.